Owncloud: >> Owncloud >> 4.0.12 Security Vulnerabilities
Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-02-09
ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'
CVSS Score
6.1
EPSS Score
0.004
Published
2021-01-15
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
CVSS Score
4.9
EPSS Score
0.014
Published
2020-02-17
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
CVSS Score
9.8
EPSS Score
0.01
Published
2020-02-11
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-01-23
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
CVSS Score
9.8
EPSS Score
0.009
Published
2018-03-26
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
CVSS Score
5.4
EPSS Score
0.004
Published
2018-03-20
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-07-17
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-07-17
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
CVSS Score
5.3
EPSS Score
0.004
Published
2017-07-17